Analysis Overview
SHA256
f9e1e32e4e245bd5399e2cfcac43e555be8d42c09dc062b34e4993eb0531bdac
Threat Level: Shows suspicious behavior
The file f9e1e32e4e245bd5399e2cfcac43e555be8d42c09dc062b34e4993eb0531bdacN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 22:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 22:35
Reported
2024-10-25 22:37
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\f9e1e32e4e245bd5399e2cfcac43e555be8d42c09dc062b34e4993eb0531bdacN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\SysDrvR8\aoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9e1e32e4e245bd5399e2cfcac43e555be8d42c09dc062b34e4993eb0531bdacN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9e1e32e4e245bd5399e2cfcac43e555be8d42c09dc062b34e4993eb0531bdacN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvR8\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\f9e1e32e4e245bd5399e2cfcac43e555be8d42c09dc062b34e4993eb0531bdacN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ26\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\f9e1e32e4e245bd5399e2cfcac43e555be8d42c09dc062b34e4993eb0531bdacN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f9e1e32e4e245bd5399e2cfcac43e555be8d42c09dc062b34e4993eb0531bdacN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvR8\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f9e1e32e4e245bd5399e2cfcac43e555be8d42c09dc062b34e4993eb0531bdacN.exe
"C:\Users\Admin\AppData\Local\Temp\f9e1e32e4e245bd5399e2cfcac43e555be8d42c09dc062b34e4993eb0531bdacN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\SysDrvR8\aoptisys.exe
C:\SysDrvR8\aoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 6f7f610eb941bb0e0d7c5d6badab896e |
| SHA1 | c34097346a06045c155d4d457d5af7e6416ca6a8 |
| SHA256 | 48dbe267963e303c2ddf59895c6dc0c8fc97f0ceca8452ef96b5b97757b95143 |
| SHA512 | a066c362dd96031c7d28eca8b69499b90024fca3f012e90465d6e7a346eab53547ecd96a32cec1dc8828c0340ae4b8afea7863e69c084c976905941b64f0caf7 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0603c88f2271022b7bbbb93151d9807c |
| SHA1 | 3c4e8edb470b74f1f8454ee5b66557064373f9a9 |
| SHA256 | c5b764b4a512fa22b4616c7dd6548d8bed1a535f5415f269c6c5a1d93338795d |
| SHA512 | 88a7c66ec13965c2970b4003902ce35bb6f1640f4872a37c31456c2136093d8ba5e1074b3f6472b084eac0de3ade0e7aba49d2164583bafae2c00e095fda6ad4 |
C:\SysDrvR8\aoptisys.exe
| MD5 | 0724d07e7d5b7fd277e64106fe9ee77b |
| SHA1 | 552c141fb9e18061a38a1c70a5ec03b0570cd75e |
| SHA256 | 5daefb3189482d6f90595af6d7fc2cf59e10979ddecca1ce7c43de57429774dd |
| SHA512 | e13e0ebf8bfdccb681af312c731fb6680053c22b0c24d3371407d8ee876beaced13786e60fd7b3ee47dbce614802245e253df47fffe19e3a5a832ceb1acbdc08 |
C:\LabZ26\boddevloc.exe
| MD5 | 75072169624d4e0b20a2d761fada5c92 |
| SHA1 | 2953661a5ac2e1a652a9acc4aeb2361e0ed49047 |
| SHA256 | 14b6e6b7c9e0f2fbe1c28e42977bd6c810d4fa54e62e5042a56189de1d00b14a |
| SHA512 | 4822f0eb6feebfb618a778b05939a2208168d4e12f49cffa0bfb5eca6fcd7446aefb7753ee9cc5eedf26366785fa4c1cb03a333be740dd91e850c097f2dbfb6c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 766a384d79ea4cdaa04a6ac6f7a45e0e |
| SHA1 | 2ec293a3106658be45fa4825808f5857f38978f8 |
| SHA256 | 0271101121fa9cc3ff4732eba8f02c058fc74514ef1d0aa85ae389039f3b7b22 |
| SHA512 | d378b0d6292c654f200b4da2f8610aa849af476bdaaccee36575d7ab8847ace27195dd7cdb5e3ce2ffd9b5e39da087b2f2867b0fb706fa035e54b6443369de4d |
C:\LabZ26\boddevloc.exe
| MD5 | d92ca5f62f48f92159bdaadd578ba4c2 |
| SHA1 | 20dd71cec5e15ba69c5016528d61d8c94376c274 |
| SHA256 | 8ebbade7ab49a3d5a58f34bc373118e36b2b63debdbac56006b6f039a3d6de48 |
| SHA512 | 0b2182a3db5b0530de5e3d83115bcd7fcbd4d2afe3110de78ee477cfd1ac53daa01f14a988bc508e2b2e83754ba91943994d8c9f160be5f8bbe9a14060ff297b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 22:35
Reported
2024-10-25 22:37
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
100s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\f9e1e32e4e245bd5399e2cfcac43e555be8d42c09dc062b34e4993eb0531bdacN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\FilesOP\devdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOP\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\f9e1e32e4e245bd5399e2cfcac43e555be8d42c09dc062b34e4993eb0531bdacN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintMR\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\f9e1e32e4e245bd5399e2cfcac43e555be8d42c09dc062b34e4993eb0531bdacN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesOP\devdobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f9e1e32e4e245bd5399e2cfcac43e555be8d42c09dc062b34e4993eb0531bdacN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f9e1e32e4e245bd5399e2cfcac43e555be8d42c09dc062b34e4993eb0531bdacN.exe
"C:\Users\Admin\AppData\Local\Temp\f9e1e32e4e245bd5399e2cfcac43e555be8d42c09dc062b34e4993eb0531bdacN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\FilesOP\devdobsys.exe
C:\FilesOP\devdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | e252c817efd70ef12bba34b9f1de18ea |
| SHA1 | d835878cb9baf37e1920816892c99d2dee400062 |
| SHA256 | e00ec0c85819ae426132c6a457da388b7697681b5d70afb3b7e0b3a2feac9573 |
| SHA512 | 67b8cb7f915124604aee30a9e2495e7e9579ed71c71d8fbfd2f6771867e2d7423a2d959f77ac143b2f49824c1697dd906c262a21025e425474508755b0eff759 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c91740359f094806ca93e94e5a61d1f3 |
| SHA1 | 92d963c136b9e0d5d5f94c7052c7c32dcf4c2983 |
| SHA256 | c80739766545d3bf3f8f7dc30ae6d374a0de98c2def63ef3f620db671ff77cfe |
| SHA512 | b2723cab9aefef97c64562d237b4fcbc41d28d3fbfdaba96cbca0040f9ac884929bd470ea657d9ff5fbc419788c539cdede8751a4a68d96656a0410ae6e03812 |
C:\FilesOP\devdobsys.exe
| MD5 | ca7abc5e3ba3c71d7cb96e8f79a6d11b |
| SHA1 | 082b6b5ddf80538ce3109ed240b5aa2c9f49a447 |
| SHA256 | efef8f48e6a1d559ea833fddf9092e9b13c56aac195d168712413c94ee4358e2 |
| SHA512 | 84eecd4f0a94bf583c786f6f2fe04238235c1013c241c4295d4ebc99a7fc1d495e4c9bc9b45765c23fe233d84cd7d419c50879f2a1c832570b86567f79ade2ca |
C:\MintMR\bodxec.exe
| MD5 | 8e1206674e4b1821d32322c95c033b0a |
| SHA1 | 500e1dd7e46bbdd7c48eaeab516e20fc43bd7a0a |
| SHA256 | 6ded76dda175db339906e79b2f4de6019bf97a99683a538f7f56a3161a00bd52 |
| SHA512 | 29e04f1e04205440d1ecfd0adae2a6d8cf9768bcae6809f5fb6d507e623765a1680538c5c307cdcb44e3cfcb680d9354ff8c02b5d429c8866a957421ccd13fb6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b9bb07f9928c63d7e7cae7c90799d3d1 |
| SHA1 | 41ffd2866d076666d5db0e7bc450cfc40072ba08 |
| SHA256 | b775dbe2a2b1e9584f099743463f22f83e35b3a0fc09886ac089f6c3d4b75487 |
| SHA512 | 6a03cbb5a6c7f08f47316b82c33960e2e75f1d61f83ed014c5fb6ea9ca3e825c4bd5a92b29bd0fff95a3f4f431f5ca7abd2a049e5691f5376613e7684b74ae75 |
C:\MintMR\bodxec.exe
| MD5 | afff6d75fe89b281379db9f5323089d6 |
| SHA1 | ebeeb9b239da5df26e4e5340ddc8eb4c4d95b6ce |
| SHA256 | 3adc7ad26f675ee1c1d75e4d0f31d9879e478da16a997a36684d18437c32b26e |
| SHA512 | ad5e1d5f2240b9309dceda85d362083120f80d2c4a79e14c4c195003bc5d09b7a7574c1d3385274879f589a0d2647278e45f4ec87e5b7b53709bdb84e7d9645f |